[Gerrit Account Permission]The account has been added to the administrator group, but in reality, the account has lost admin privileges?

100 views
Skip to first unread message

Rain JJ

unread,
Mar 27, 2024, 2:24:28 AM3/27/24
to Repo and Gerrit Discussion


Dear all:

I have been testing Gerrit multisite recently, and the change synchronization is working properly.

Now I have encountered a permission issue:

When I added the account dev_test1 to the administrator group on node A, whether on node A or node B, the account dev_test1 does not have administrator privileges (including creating projects, modifying projects, etc.),

After login with the account dev_test, there is no 'CREATE NEW' project bottom and 'EDIT' bottom of the project access on the Gerrit WEB UI.

 

But when checking the members of Administrators, it does exist. I am certain that account dev_test1 has been added to Adminstrators Groups.

Because the administrator privileges of the account jjran, which is also in the Administrators members group, are correct.

 

It was not until I explicitly added the account dev_test1 to the Global Capabilities section of All-Projects and added the Administration Server permission that it became correct.

I don't kown why this is happening?

I observed that when I added dev_test1 to the administrator group on node A, Gerrit had two warning logs:

[2024-03-26T09:54:16.929Z] [HTTP GET /accounts/self/groups (dev_test1 from 172.22.176.39)] WARN  com.google.gerrit.server.group.db.GroupsNoteDbConsistencyChecker : group with name 'Service+Users' has UUID 'd6f082fd089c3c1f9760d6d80b5dc46434e8e98f' in 'group.config' but '6fb41d0bef540aba80e2d0d6446e94cadd9c5fa1' in group name notes [CONTEXT request="REST /accounts/*/groups" ]

[2024-03-26T09:54:16.930Z] [HTTP GET /accounts/self/groups (dev_test1 from 172.22.176.39)] WARN  com.google.gerrit.server.group.db.GroupsNoteDbConsistencyChecker : group with name 'Administrators' has UUID 'dd10a5402a3f64db480fda0ccc3b85ffda5f87fc' in 'group.config' but 'b3923fde7fc535036b49b41a5d65386187e73bb7' in group name notes [CONTEXT request="REST /accounts/*/groups" ]

 

I believe this warning logs may be related to my problem, but I have no way to start.

 

My environment configuration is as follows

Gerrit (3.8), two master R/W nodes: A and B;

LDAP authentication

 

plugin:

multi-site

events-rabbitmq

pull-replication

websession-broker

zookeeper-refdb

 

replication.config:

[gerrit]

    autoReload = true

    replicatePermissions = true

    replicateOnStartup = false

[replication]

    lockErrorMaxRetries = 5

    maxRetries = 5

    userCGitClient = false

    consumeStreamEvents = true

    syncRefs = "ALL REFS ASYNC"

    maxApiPayloadSize = 40000

    excludeRefs = refs/multi-site/version

[remote "master_20"]

    url = master_20:/data/gerrit_multisite/review_site/git/${name}.git

    apiUrl = http://10.79.29.20:8081

    fetch = +refs/*:refs/*

    timeout = 600

  rescheduleDelay = 2

    replicationDelay = 2

    createMissingRepositories = true

    replicateProjectDeletions = true

    replicateHiddenProjects = true

    replicatePermissions = true

 

Looking forward to your reply!

 

Reply all
Reply to author
Forward
0 new messages